Privileges

You can manage who can do what with your Coveo Cloud organization by assigning access levels on privileges when you define groups or API keys (see Groups - Page and API Keys - Page). See which access levels are available for each privileges in the tables below.

In the Coveo Cloud V2 administration console, privileges are grouped by service. Group members that are granted an access level for privilege typically gain access to one or more related administration console main menu pages and related API calls. For most privileges, the available access levels are View and Edit. Members with the View access level on a privilege can only review the configuration of a resource. To edit the configuration and access the child panels of a main menu page, the Edit access level is usually required. Similarly, the ability to create new resources is automatically granted with the Edit access level, unless, for Sources, you opt for a Custom access level, in which case you can choose whether to grant it or not (see Custom).

Although most privilege names may be similar to the options in the Coveo Cloud V2 administration console navigation menu, a View or Edit access level on a privilege alone is not necessarily sufficient to view or edit the corresponding page content. Other privileges may be required to view or edit the content of an administration console page. See the Required Privileges section at the bottom of the documentation page corresponding to the desired administration console page for a list of all required privileges.
The minimal privilege to allow members of a group to access any Coveo Cloud administration console main menu page is the Organization privilege from the Organization service (see Organization Privilege).

When your Coveo Cloud organization members do not have the minimal View access level on the Organization privilege and try to log in to the Coveo Cloud V2 administration console, they get the following message:

Insufficient privileges

You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.

The API keys, Sources, and Groups privileges offer the Custom access level option, which allows you to grant each API key, source, or group its own access level (see Privileges, Sources Privilege, and Groups Privilege). For instance, you could grant your SharePoint Administrators group the Edit access level for your SharePoint sources, but only the View level for the other sources in the organization. Moreover, when you select the Custom access level option for Sources, you can decide whether the grantee (group or API key) should also be able to create new API keys or sources, respectively.

The Administrators group cannot be deleted, and its privileges cannot be edited (see Delete a Group). You can however duplicate the Administrators group, and then edit the desired parameters for the new group (see Duplicate a Group).
Privileges have nothing to do with view permissions on source items (see Coveo Cloud V2 Management of Security Identities and Item Permissions). Coveo Cloud organization privileges allow you to control who can do what through the Coveo Cloud administration console or API, while permissions on source items, dependent on your source configuration, determine which end-users can see what items in search results.

When you edit the privileges of a group or an API key, your options may vary. For each privilege, the access levels you can grant depend on the access level you have yourself, as well as the level that was last saved (see Groups and API Keys). In short, the list of access levels from which you can choose generally consists of the last saved access level, the access level you have, and the access levels of lesser importance than those.

The following table summarizes the available access levels in each scenario, assuming you have the Edit access level for the group or API key of which you want to edit the privileges:

Access level you have	Last saved access level	Access levels you can grant the group or API key
None	None	N/A (you cannot change the access level)
None	View all	None or View all
None	Custom	None, View all, or Custom¹
None	Edit all	None, View all, or Edit all
View all	None or View all	None or View all
View all	Custom	None, View all, or Custom
View all	Edit all	None, View all, or Edit all
Custom	None, View all, or Custom	None, View all, or Custom
Custom	Edit all	None, View all, Custom, or Edit all
Edit all	Any	None, View all, Custom, or Edit all

Note 1: In this scenario, albeit with Custom selected, you cannot view the list of sources available in the organization, as you do not have the View all access level on Sources (see Sources privilege).

This table also applies for privileges that do not offer the Custom access level option, such as Fields (see Fields privilege).

You are allowed to edit the Content Viewers group. This group has the View all access level for the Fields privilege, while you have Edit all. When changing the group’s access level for this privilege, you can choose from your access level, those of lesser importance, and the original group’s access level, i.e., Edit all, View all, or no access at all.

When a user is a member of groups that have conflicting privilege access levels, the highest granted access level applies.

John Smith is a member of the Analytics Viewers and the custom-made Limited Administrators groups. The following table shows an excerpt of the privileges granted to both groups.

Service	Name	`Analytics Viewers` access levels	`Limited Administrators` access levels
Analytics	Administrate	(None)	Enable
	Analytics data	View	Edit
	Data Exports	View	Edit
	Dimensions	View	Edit
	Impersonate	Enable	(None)

Since the first four privilege access levels granted to the Limited Administrators group are of a higher level than those granted to the Analytics Viewers group, these Limited Administrators privilege access levels apply to John Smith. Therefore, John Smith can edit dimensions, for instance, even though he is also in the Analytics Viewers group, which is not allowed to perform dimension edits.

As for the Impersonate privilege, however, the Analytics Viewers group has the Enable access level while the Limited Administrators group does not. Consequently, John Smith is granted the Enable access level.

The following tables shows the resulting privileges granted to John Smith.

Service	Name	`John Smith`'s access levels
Analytics	Administrate	Enable
	Analytics data	Edit
	Data Exports	Edit
	Dimensions	Edit
	Impersonate	Enable

The following sections correspond the services and privileges displayed in the Privilege tab you see when creating or editing a group or an API key (see Groups - Page and API Keys - Page). They present the abilities that come with each access level option for a privilege. For each privilege, the Typical grantees column shows which of the built-in groups are granted each level by default: Administrators, Analytics Managers, Analytics Viewers, Content Managers, Relevance Managers, and Users (see About Coveo Cloud V2 User Management). See also About Coveo Cloud V2 User Management for a list of the default access levels granted to each built-in role.

Analytics Service

Administrate Privilege

Access level	Grantee abilities	Typical grantees
Enable	Manage the organization usage analytics data: Add and delete test usage analytics data in the account Edit, get, delete, and disable the organization account Define IP addresses whose events are flagged as internal (see Administration API - Version 15 and Specify Internal IPs)	Administrators API keys

Analytics Data Privilege

Access level	Grantee abilities	Typical grantees
View	View reports (see Managing Usage Analytics Reports) View dimensions (see Managing Dimensions on Custom Metadata) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters) View usage analytics data exports (see Managing Data Exports) View Coveo Machine Learning models (see Coveo Machine Learning Models)	Analytics managers Analytics viewers Relevance managers
Push	Send analytics events to the Coveo usage analytics service (see API Keys - Page)	OAuth tokens, API keys, and search tokens assigned to a process such as a search interface
Push and view	View reports (see Managing Usage Analytics Reports) View dimensions (see Managing Dimensions on Custom Metadata) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters) View usage analytics data exports (see Managing Data Exports) View Coveo Machine Learning models (see Coveo Machine Learning Models) Send analytics events to the Coveo usage analytics service (see API Keys - Page)	Administrators

Data Exports Privilege

The Data exports privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level	Grantee abilities	Typical grantees
View	View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Managing Data Exports)
Edit	Add, edit, or delete analytics data exports from the specified user visits (see Managing Data Exports) Review user visits (see Reviewing User Visits With the Visit Browser)	Administrators Analytics managers Analytics viewers Relevance managers

Dimensions Privilege

The Dimensions privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level	Grantee abilities	Typical grantees
View	View dimensions (see Managing Dimensions on Custom Metadata). View reports (see Managing Usage Analytics Reports) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters)	Analytics viewers
Edit	Add, edit, or delete dimensions created by Coveo Cloud organization members (see Managing Dimensions on Custom Metadata).	Administrators Analytics managers

Impersonate Privilege

Access level	Grantee abilities	Typical grantees
Enable	Allow a custom process or bot to push usage analytics events with different identities.	Administrators API keys

Named Filters Privilege

The Named filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level	Grantee abilities	Typical grantees
View	View named filters (see Managing Named Filters)	Analytics viewers Users
Edit	Add, edit, or delete named filters (see Managing Named Filters)	Administrators Analytics managers Relevance managers

Permission Filters Privilege

The Permission filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level	Grantee abilities	Typical grantees
View	View permission filters restricting the usage analytics data that analysts can review in reports (see Managing Permission Filters) Without the View access level, you cannot see the permissions filters that are assigned to your identity in reports.	Analytics viewers Analytics managers Relevance managers Users
Edit	Add, edit, or delete permission filters (see Managing Permission Filters) The Edit access level is ineffective without the View access level on the Groups privilege (see Groups Privilege).	Administrators

Reports Privilege

The Reports privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level	Grantee abilities	Typical grantees
View	View usage analytics reports (see Reviewing and Managing Dashboards and Reviewing and Managing Usage Analytics Explorers)	Analytics viewers
Edit	Add, edit, or delete usage analytics reports (see Managing Usage Analytics Reports) The Edit access level is ineffective without the Enable access level on the Administrate privilege (see Administrate Privilege).	Administrators Analytics managers Relevance managers

Suggest Queries Privilege

Access level	Grantee abilities	Typical grantees
Enable	Allow a process such as a search interface to receive query suggestions from the Coveo Usage Analytics service (see About Usage Analytics Service Query Suggestions)	Administrators API keys

View All Reports Privilege

Access level	Grantee abilities	Typical grantees
Enable	View all reports, regardless of report accesses (see Managing Usage Analytics Report Access in Reports). Members that do not have this access level can only review the reports they are explicitly allowed to access.	Administrators Analytics managers

Content Service

Extensions Privilege

Access level	Grantee abilities	Typical grantees
View	View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Extensions - Page).
Edit	Add code snippets to apply transformations to included items such as adding or modifying metadata (see Extensions - Page). It is recommended to grant this privilege to developers only.	Administrators Content managers

Fields Privilege

Access level	Grantee abilities	Typical grantees
View	View fields and field configuration (see Fields - Page)	Users
Edit	Add, edit, or delete fields (see Fields - Page) Add, update, or delete fields in batches (see Creating Fields)	Administrators API keys Content managers

Security Identities Privilege

The Security identities privilege access levels are ineffective without the View access level on the Security identity providers privilege (see Security Identity Providers Privilege).

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Security Identities - Page) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View the permissions and effective permissions on Coveo Cloud organization items (see Item Properties - Panel) View security identities and their status inside each security provider
Edit	Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting it to users or groups does not give them any additional capabilities.	Administrators

Security Identity Providers Privilege

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Security Identities - Page) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View security identities and their status inside each security provider
Edit	Refresh security identity providers (see Refresh a Security Identity Provider and Refresh All Security Identities) Edit security identity provider refresh schedules (see ) Edit provider JSON configuration (see Manage Advanced Security Identity Provider Parameters)	Administrators

Sources Privilege

To review source content in the Content Browser, you must have the Enable access level on the Execute queries privilege (see Content Browser - Page and Execute Queries Privilege).
When a group has the View access level for some or all sources, the corresponding sources are grayed out in the Sources page (see Sources - Page).
Unlike for other resources, the ability to create sources can be granted without the Edit access level. When granting privileges, you can therefore grant a group or API key the View all or Custom access level for sources and check the Can Create checkbox to allow users to create sources.

Access level		Grantee abilities	Typical grantees
View all		View all sources (see Sources - Page) View configuration of all sources View all source logs (see Log Browser) Subscribe to source notifications (see User Notifications)	Users
Custom¹	View	View source (see Sources - Page) View source configuration View source logs (see Log Browser) Subscribe to source notifications (see User Notifications)
Custom¹	Edit	Edit or delete specific sources (see Add/Edit a Source - Panel) Edit specific source refresh schedules (see Edit a Source Schedule: [SourceName] - Panel) Edit specific source mappings (see Edit the Mappings of a Source: [SourceName]) Launch, pause, resume, and cancel specific source updates (see Refresh, Rescan or Rebuild Sources) Use the push API to send content to Coveo Cloud (see Push API) Subscribe to source notifications (see User Notifications)
Edit all		Add all sources (see Add/Edit a Source - Panel) Edit or delete all sources (see Add/Edit a Source - Panel) Edit all source refresh schedules (see Edit a Source Schedule: [SourceName] - Panel) Edit all source mappings (see Edit the Mappings of a Source: [SourceName]) Launch, pause, resume, and cancel all source updates (see Refresh, Rescan or Rebuild Sources) Use the push API to send content to Coveo Cloud (see Push API) Subscribe to source notifications (see User Notifications)	Administrators API keys Content managers

Note 1: See Custom Access Level.

Machine Learning Service

Models Privilege

You cannot view and edit Coveo Machine Learning models without the following access levels:

View access level on the Analytics data privilege (see Analytics Data Privilege)
View access level on the Dimensions privilege (see Dimensions Privilege)
View and Edit access levels on the Query pipelines privilege (see Query Pipelines Privilege)

Access level	Grantee abilities	Typical grantees
View	Review the list of Coveo Machine Learning models inside the organization query pipelines (see Models - Page)
Edit	Add, edit, or delete query pipeline models, and thus optimize search results relevance and search experience in general (see Managing Coveo Machine Learning Automatic Relevance Tuning Models in a Query Pipeline, Managing Coveo Machine Learning Query Suggestions Models in a Query Pipeline, and Managing Coveo Machine Learning Event Recommendations Models in a Query Pipeline)	Administrators Relevance managers

Organization Service

API Keys Privilege

This privilege is only available when configuring groups, as API keys cannot be granted access rights to view or edit other API keys (see Groups - Page).
When members of a group have the View access level for some or all API keys, the corresponding keys are grayed out in the API Keys page (see View and Edit).

Access level		Grantee abilities	Typical grantees
View all		View in read-only mode the configuration of all API keys (see API Keys - Page).	Content managers Relevance managers
Custom¹	View	View in read-only mode the configuration of specific API keys (see API Keys - Page).
Custom¹	Edit	Edit, delete, activate, and disable specific API keys (see API Keys - Page and Custom Access Levels)
Edit all		Add, edit, delete, activate, and disable all API keys (see API Keys - Page and Custom Access Levels)	Administrators

Note 1: See Custom Access Level.

Activities Privilege

Access level		Grantee abilities	Typical grantees
View		View all organization activities (see Activity Browser - Page) A member with the View access level could see activities from administration console pages for which they are not granted any access levels.	Content managers Relevance managers
Edit		Send custom activities to Coveo Cloud V2 (see Add/Edit Push Source - Panel)	Administrators API keys

Elasticsearch Indexes Privilege

This privilege is only available in organizations with an Elasticsearch index (see Review the Product Name, Product Type, Product Edition, and Index Type).

Access level		Grantee abilities	Typical grantees
View		View index status (see Index Status) View index details (see Review Index Details)
Edit		Add an index (see Add an Index) Edit the JSON configuration of an index (see Edit an Index JSON Configuration)	Administrators

Groups Privilege

Grant the Edit or Edit all access level for the Groups privilege only to a few people, ideally the authority in your company that manages access rights in corporate systems.

When members of a group have the View access level for some or all groups, the corresponding groups are grayed out in the Groups page (see View and Edit).

Access level		Grantee abilities	Typical grantees
View all		View all groups, including their privileges (see Groups - Page) View organization members (see Members - Page)	Analytics managers
Custom¹	View	View groups, including their privileges (see Groups - Page)	Content managers Relevance managers² Users³
Custom¹	Edit	Copy, edit, or delete groups and members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit group member privileges (see Privileges Tab) Send invitations to users (see Groups - Page, and Members - Page)	Relevance managers² Users³
Edit all		Copy, edit, or delete all groups and their members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit privileges of all groups (see Privileges Tab) Send invitations to users (see Groups - Page and Members - Page)	Administrators

Note 1: See Custom Access Level.

Note 2: By default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

Note 3: By default, members of the Users built-in group can edit this group only. This allows them to invite other people in the Users group, but not in other groups.

Notifications Privilege

Access level		Grantee abilities	Typical grantees
View		View organization notifications (see Notifications - Page)
Edit		Edit and delete organization notifications (see Notifications - Page)	Administrators

On-Premises Organization Privilege

This privilege is required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and API Keys - Page). Granting it to users or groups does not give them any additional capabilities.

Organization Privilege

Access level Grantee abilities Typical grantees

View

Access level	Grantee abilities	Typical grantees
View	Access the Coveo Cloud administration console (see Coveo Cloud V2 Administration Console) Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2): `Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.` View the organization status and license type (see Review the License Type).	Analytics managers Analytics viewers Content managers Relevance managers Users
Edit	Edit the organization display name and contact (see Change the Name of the Organization) Delete the organization (see Delete an Organization) Allow Coveo Professional Services access to the organization (see Authorize the Coveo Professional Services Team to Access and Modify Your Organization on Your Behalf)	Administrators

Access the Coveo Cloud administration console (see Coveo Cloud V2 Administration Console)

Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2):

Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.
View the organization status and license type (see Review the License Type).

Analytics managers
Analytics viewers
Content managers
Relevance managers
Users

Edit

Edit the organization display name and contact (see Change the Name of the Organization)
Delete the organization (see Delete an Organization)
Allow Coveo Professional Services access to the organization (see Authorize the Coveo Professional Services Team to Access and Modify Your Organization on Your Behalf)

Administrators

SAML Identity Provider Privilege

Access level		Grantee abilities	Typical grantees
View		View SAML single sign-on settings (see Coveo Cloud V2 SAML SSO)
Edit		Configure SAML single sign-on for the organization and edit the single sign-on settings	Administrators

Snapshots Privilege

Required to use an upcoming feature. Granting it to users or groups does not give them any additional capabilities yet.

Search Service

Execute Queries Privilege

Access level	Grantee abilities	Typical grantees
Enable	For organization members and API keys to send queries and get search results in search pages connected to their Coveo Cloud organization (see Searching with Coveo Cloud).	Administrators API keys Content managers Users

Impersonate Privilege

Access level	Grantee abilities	Typical grantees
Enable	Obtain a search token for a search interface with secured content to perform queries with the end-user identity and return only results the user is authorized to see. Anyone granted this privilege can impersonate any user and see in search results all the content accessible to this user.	Administrators API keys

Modify Authentication Provider Privilege

Access level	Grantee abilities	Typical grantees
Enable	Manage authentication for secured sources such as when they are protected with SharePoint claims-based identities.	Administrators API keys

Query Pipelines Privilege

You cannot view and edit Coveo Machine Learning models without the View access level on the Models (requires the Edit access level to manage models), Analytics data, and Dimensions privileges (see Privileges).

Access level	Grantee abilities	Typical grantees
View	View query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines): View query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs) View query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs) View A/B tests (see Managing A/B Tests)
Edit	Optimize results relevance and search experience in general: Add, edit, or delete query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines) Add, edit, or delete query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete A/B tests (see Managing A/B Tests)	Administrators Relevance managers

Access level

Grantee abilities

Typical grantees

View

View query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines):
View query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs)
View query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs)
View A/B tests (see Managing A/B Tests)

Edit

Optimize results relevance and search experience in general:

Add, edit, or delete query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines)
Add, edit, or delete query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs)
Add, edit, or delete query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs)
Add, edit, or delete A/B tests (see Managing A/B Tests)

Administrators
Relevance managers

Salesforce Index Configuration Privilege

Access level	Grantee abilities	Typical grantees
View	Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.	Administrators
Edit

Access level

Grantee abilities

Typical grantees

View

Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.

Administrators

Edit

Search Pages Privilege

Access level		Grantee abilities	Typical grantees
View		Access the search pages hosted by the Coveo Cloud organizations of which a user is a member	Users
Edit		Add or delete hosted search pages (see Search Pages - Page) Edit hosted search pages, i.e.: Customize search page interfaces (see Customize the Interface of a Search Page) Edit search page configurations (see Search Pages - Page)	Administrators

View All Content Privilege

Access level		Grantee abilities	Typical grantees
Enable		Browse all the content of a Coveo Cloud organization index, and thus be able to troubleshoot search issues (see Content Browser - Page). Anyone granted this privilege bypasses the content permissions, meaning they could see the content of items they do not normally have access to in the original systems.	Administrators